Software for US military to be subject to new legal checks

By Graeme Burton
08 Jan 2013 View Comments
capitol hill

Software engineers working for the US military will have to follow new testing procedures to reduce the risk of security flaws in their code.

That is one of a number of computer security-related measures contained in the 2013 National Defense Authorization Act, signed into law by President Obama on 2 January.

Further reading

The demands follow a series of security scares and warnings from the Department of Homeland Security that software developers were overlooking the importance of security. A new 'baseline software assurance policy' developed by the Pentagon will introduce rigorous new procedures for testing and debugging at every stage of software development.

IT staff will be required to use automated vulnerability analysis tools to inspect software code during the entire lifecycle of software development.

The law will also inaugurate a reorganisation of US Cyber Command, require a strategy for deploying a secure IT structure across the US government's entire defence estate to be devised, and will oblige defence contractors to inform Pentagon officials about penetrations of company-owned networks.

Secure military networks will require a "joint information environment" that could drive the consolidation of IT infrastructure and contracts across the different services in the US defence establishment. The ultimate aim, according to reports, is to move computing from desktop PCs to apps accessible from any device, which can more easily be centrally controlled.

Within the year, officials at the Department for Defense must also report to Congress on how the Pentagon "might hold contractors liable for software defects or vulnerabilities".

Quarterly briefings will start in March to inform officials of "all offensive" operations initiated by the Pentagon's "cyber warriors". Also in March, the Department of Defense will need to publish the criteria for measuring the effectiveness of procedures called for in 2011 to manage "supply chain risks" - the risk of technology infrastructure within the supply chain being tampered with, deliberately or otherwise, potentially opening up security holes in systems thought to be secure.

By April 2013, the department must submit to a strategy that includes a roadmap for the overhaul, as well as the estimated cost and projected cost savings of the overhaul. By January 2014, officials will be required to provide a personnel plan listing the staffing levels required for each military department and combat support agency needed for "full spectrum cyber operations, including the national cyber defense mission and the operational plans of the combatant commands", the law states.

By 2017, the department must report on the effectiveness of the criteria developed in March.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
16 %
7 %
19 %
3 %